AntiViruses: How Many Licenses to Buy

Dear Experts,

In an ideal situation, the IT guy would have his way and be able to purchase antivirus licenses for each and every computer in his organization. But now, the Finance guy wants to buy as few licenses as possible.

I'd like to ask 2 things:

1. We're thinking of installing the antivirus software only on the central servers. The central servers are where all our critical data is stored, so we are thinking that we only want to protect that. In theory, the antivirus would kinda block all viruses from getting to the server. What are the risks involved if we choose not to protect the clients and workstations?

2. Is this a common practice for companies? Do the majority of companies protect each and every PC in their organization? About how many percent of companies install antivirus in all their PCs?

What you should think off is: How can virusses come into my network eg.
1. Email.
2. Internet.
3. USB sticks.

And for all these circumstances a virusscanner on central servers simply would not do.

For your second question: It is normal for companies to have a virusscanner on every pc.
I use Kaspersky on my workstations / fileservers / Exchange Server so I know that every possible entrance is protected.
Yes it is expensive in the beginning but after a weekend fixing your company network with loss of personal data what is expensive?
You could also use free antivirus clients like AVG or AVAST (they are free for personal use maybe the license might not apply to a company sitiuation)

It is fairly common practise to have an antivirus on every computer in a company.
Even at school we used to have one on each PC.
If the budget is tight, you might apply your own suggestion - install antivirus to the most relevant computers only.
This should prevent virus from spreading there if any other PC gets one in the network.

Also, some antiviruses (I know NOD32 can do this, not sure about others) can scan a network drive.
So you can install as few AVs as possible and still schedule periodical scans on other network computers from the ones that have AV installed.

To secure your data even more, use one server to receive e-mails, scan them and then re-send them to their original recipients.
For Internet connection, use a proxy server with AV.
If you can't use a proxy server, force users to use Firefox, Opera or some other reliable software (other than Internet Explorer).
Also, install some free anti-spyware applications and run scheduled scans.

Regading USB keys, floopies, CDs and so on, there's nothing you can do but those schedules scans for unprotected computers.

Hi jugheadyong,
richrumble is the expert on "principal of least privilege", but I have never tried it. He is obviously more qualified than most to talk about security.

My recommendation is always a full 'Suite' of Enterprise protection and my favorite product is McAfee. I've been using it on different networks for about six years and highly endorse it.

Regarding the 'bean-counter' (Finance guy) - ask him to calculate the cost of every employee in the operation sitting around for days doing nothing while the IT staff attempts to rebuild your entire infrastructure.
He probably won't want to get into THAT discussion, but make sure the real decision makers are thinking about it.

All of your computing devices need their own AV protection (and anti-spyware) - to include all those cute little hand-held gizmos that CEO's like to carry around.

Most Security courses or seminars I attend display the latest numbers on the annual 'lost productivity' cost caused by malware and it is always in the billions and billions of dollars. Current info should be available by 'Googling'.

Finally, I don't know of any 'freeware' AV applications that are available for a corporate environment, but McAfee will let you test their product before buying.

I agree with Vic (younghv) on this one and thoroughly recommend the McAfee range of products.

To quote Vic on

Regarding the 'bean-counter' (Finance guy) - ask him to calculate the cost of every employee in the operation sitting around for days doing nothing while the IT staff attempts to rebuild your entire infrastructure.
He probably won't want to get into THAT discussion, but make sure the real decision makers are thinking about it.

I would suggest using a McAfee SCM 3200 Appliance to protect your email from viruses, spam and malware, and also to enable it for Content Filtering as this will stop both employees abusing the system and spyware etc getting in.

You could then run a free AV solution on the desktop......

That's just off the top of my head......I don't know how many users you have to judge if that would save you any money.

richrumble is correct, basically the principle of least privilege (well as my understanding is) is that you only give people access to the systems they need to fulfill their role.

i.e. if they don't need Internet Access for work purposes, don't give them it......have a couple of workstations for people to check their email, browse the web etc during their breaks.

If they don't need email, don't give it to them......if they don't need USB ports....don't give them USB ports.

Lock down the security using this prinicipal, then deploy the AV to the people who need it if you want to save a few licences........

It's a good principle to adhere to, but I've never not deployed AV to those restricted machines anyway.

McAfee also gets my vote. The Principal of Least privilege, oversimplified, is don't run as admin for day-to-day tasks such as checking email, surfing the web etc... Admin rights are for admin tasks. It's using the lowest privilege possible to accomplish a task, this is something that *nix, BSD, Apple-Mac has been doing since day one. M$ has finally caught on and is using this in vista. IE in vista for example will be running in some sort of protected mode and have lower privileges than it does in other M$ os's. In addition, in Vista, you will not be placed in the admin group by default as you have been in other M$ os's from the start. The link I provided above goes into all this and has many links to illustrate each of these points, most of the links are from M$ itself. Here is a recent article that also reiterates the point, in the second to last paragraph from the bottom of the authors blog: http://clintonforbes.blogspot.com/2006/10/10-pros-cons-of-switching-from-windows.html

While using the LUP (least user privilege as it's called) is a great step in mitigating viri and spyware, it's foolish to assume that there are no exploits or workarounds that will affect you. The recent WMF image vulnerability M$ recently patched, would allow a would-be attacker to gain SYSTEM priv's (which is higher than admin actually) no matter what group your account was running in. AV still has it's place, and most AV, like mcafee, have spyware and spam blocking capabilities also. LUP won't block spam, naturally :)
-rich

0

jugheadyongAuthor Commented: 2006-10-25

Dear gang,

Thank you guys so much for your comments. Just wanna bounce this around a little before I split the points.

I cannot implement the principal of least privilege because, guess what, 80% of my PCs are running Win98. >_< (To upgrade all of them to WinXP would probably cost more than the AV).

I cannot use the free AV on our corporate machines because that's illegal. (The free AV are only free for home/personal use).

And the MOST IMPORTANT QUESTION is: If I do not care if the PCs (clients) get infected. If I only care about the servers. How likely, or what are the risks of the viruses spreading from clients to server if the server has Antivirus installed on it. How would the virus spread? Is it recommended to apply PLP on the server (I'm worried that if I apply PLP, call the services will stop working)?

Hi Jonah,
I don't know where you are, but the McAfee "Total Protection" would cost you about US$25 per computer per year.

If your bean-counter won't fork over 2 beans a month for some as basic as this ......Yikes!

Lots of malware can (and will) 'traverse' the network, running from one host to another - or even to servers. Lots more fun to take down servers and network appliances. This stuff is designed to infect the local host, then search for any 'mapped' drives (usually servers) and then head over for them.

LUP (as described by richrumble) is recommended by every security expert I know. My favorite Uncle has sent me to about every computer/network security course known to man and that principle is always stressed.

Good luck with your project and go grab the accountant by the ankles and shake some money out of his pockets.

There is this particular Lotus Domino server that I must leave logged-in for the email service to run (email service runs in an application window), and this is using Win 2000. I'm worried if I log in as a user with no privilege, the email may go haywire.

OK, if most of your PC's are Win98, then you have to factor in an eventual cost of upgrading as Windows 98 is not going to be supported much longer....I think it might have already finished, yes, it has

I agree with Younghv about the Total Protection Cost option from McAfee, but now the support (i.e. patches) has finished from Microsoft, if any flaws are discovered then Microsoft is not going to help you. You will need to be protected.

What server OS are you using ?

The only other way to do it would be to run an online scan (free from McAfee) every month on each PC and ensure that any viruses are removed manually.....yet more strain on a normally busy IT Department.

I have to agree with Vic, you will need to protect yourself on the key PCs, but you might get away with a free scan every month on the PCs that are not essential.

Wow, I'm even quoting myself here !

Quote -
i.e. if they don't need Internet Access for work purposes, don't give them it......have a couple of workstations for people to check their email, browse the web etc during their breaks.

If they don't need email, don't give it to them......if they don't need USB ports....don't give them USB ports.

Lock down the security using this prinicipal, then deploy the AV to the people who need it if you want to save a few licences........

Then run the free scan on the PC's that don't have the AV and use the licenced product to scan the unprotected PCs i.e. share their hard drives as a network drive and scan them weekly.

Or, burn a CD using McAfee Cleanboot once a month (available with a grant number if you buy Mcafee product for the machines you want to protect) and get the machines to boot automatically to the CD drive each time they are booted (or USB drive, your call) and then at least they are checked when they boot up without a need for a licence as the product won't be installed on them.

With mostly 98 machines, you actually might not have to worry about modern viri, often times they won't work as they are exploiting more recent OS's and the dll's, exe's and other app's they seek to exploit aren't present on 98, I'd say your pretty safe for most things. If you do have a modern email client on them, then your more likely to get infected on the PC's. You should purchase McAfee or other for the servers if that is all your concerned about. Servers shouldn't be used as regular pc's, so I doubt you need LUP, when you log on a server, typically it's to administer the server. Email servers and AV typically run as System (this is typical of an installed service) so LUP won't be a factor. Buy enough licenses for your servers.
-rich

When I look at the logs of our AV apps - or repair civilian computers that run without AV - I see infections from stuff that has been around for years and years. I don't think that crap EVER dies - it just hangs around in cyber-space waiting to pounce.

My concern for the servers was the potential for unprotected (read infected) WIN 98 boxes mapped to or accessing Network Server Shares.

Even with protection, I would be concern with a 'Virus Storm' (ala Blaster) hammering through the protection.

Regarding WIN 98, I built a 'scrap' computer from parts for my grandchildren to play and it runs 98 - it does everything they need - but I sure wouldn't run it in a corporate environment or exposed to the Internet.